Risk Assessments/Management, Governance, Risk and Compliance, Training, Asset Management

HHS unveils healthcare cybersecurity, threat mitigation resource website

An October 2021 cyberattack on Norwood Clinic in Alabama was reported to HHS as impacting 228,103 patients. (Photo by Alex Wong/Getty Images)

A new Department of Health and Human Services website aims to provide the healthcare and public health with useful and vetted cybersecurity resources, products, and other helpful tools to raise awareness on best practice security and the risks to patient safety.

The website was unveiled by the HHS Office of Chief Information Officer (OCIO) and Office of Information Security (OIS) under the mission that cybersecurity equals patient safety. The hope is that all healthcare organizations will leverage the resource, creating behavioral and consistent change to mitigate the most pressing healthcare risks.

The HHS 405(d) Aligning Health Care Industry Security Approaches Program website was developed through an HHS 405(d) Task Group partnership, including more than 150 industry and federal government stakeholders.

The HHS 405(d) Program was developed following the Cybersecurity Act of 2015, wherein HHS convened a CSA 405(d) Task Group to align the sector’s approaches to cybersecurity through the development of voluntary, consensus-based, and industry-led cybersecurity guidelines.

The site compiles their insights, through a shared vision for the need for all organizations to work together to combat healthcare cybersecurity threats. 

The website includes the Health Industry Cybersecurity Practices and various resources, such as infographics, bi-monthly newsletters, webinar recordings, and threat-specific products to support cybersecurity awareness and training efforts. With its launch, the website “establishes a single 405(d) program platform for the entire healthcare sector.” 

“The new 405(d) Program website is a step forward for HHS to help build cybersecurity resilience across the Healthcare and Public Health Sector,” said Christopher Bollerer, HHS acting chief information security officer, in the release.

According to officials, the 405d.hhs.gov is now the home for all 405(d) Task Group and all information, events, products, and tools released by the 405(d) Program.

“This website is the first of its kind,” said Erik Decker, 405(d) Task Group Industry co-lead and Intermountain Health CISO, in a statement. “It’s a unique space where the healthcare industry can access vetted cybersecurity practices specific to the HPH sector on a federal government website.”

For Decker, the resource should become a reliable source for entities working to better protect patients and the enterprise from the latest cybersecurity threats. The site joins previous resources aimed at supporting healthcare organizations, including a ransomware-focused site from Mitre.

After years of individual healthcare security leaders and researchers raising the alarm on the risk cybersecurity can pose to patients, the impact of security events on care and patients has become the overwhelming consensus among healthcare leaders after a year of multiple ransomware-induced network downtimes caused care diversion and other disruptions.

An ongoing lawsuit alleges that a cyberattack-induced outage caused an infant’s death, while another claims a patient’s care was diminished during network outages caused by a hospital’s vendor. Stakeholders warn these types of lawsuits may be more common, as cyberattacks continue to bring hospitals offline.

The website aims to bring awareness to these challenges and support providers with preventing similar incidents at their organizations.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.